Forums (Obsolete)

Member

peter.postma-kiwa - 3/8/2012 8:58:07 AM

Security on pdf files

Our website allows only registered users. On top of this we have some content that is only available to users with dedicated roles. This works fine for pages and articles, but not for files (pdf). Whatever I fill in at the properties - security page, all registered users can access these files. Currently I have the following Site settings:

- Security - Check page permissions: ALL
- Files - Check files permissions: true
- Files - Check if files are published: true
- Files - Store Files in Database: true

At the properties - security page of the file I have the following settings:
- no inheritance
- Users and roles:
- Special role: read access
- Registered users: deny all
- Authentication: Yes

Still all registered users have access. An article with the same settings works fine (registered users cannot access it). What is going wrong with the files?

Kentico Support

kentico_radekm - 3/8/2012 10:46:36 AM

RE:Security on pdf files

Hello.

If setting "check file permissions" is enabled, user is allowed to view document related files only if she can view the document.

I.e. if user in roleX is allowed to view the document on the live site, therefor she is also allowed to view all the files related to the document.

To make this user unable to view this file, you have to set "Requires authentication" to "Yes" on the security tab of the document + set "Check page permissions" to "Secured areas" (in Settings > Security & membership). The file is then accessible on live site only for the authenticated users according to their permissions for the related document.

Best Regards,
Radek Macalik

Member

peter.postma-kiwa - 3/13/2012 11:01:40 AM

RE:Security on pdf files

Hi Radek,

Thank you for your reply. Unfortunately it doesn't work. For the record, based on your reply I have tried the following settings for the site:

- Security - Check page permissions: SECUREDAREAS

And for the security settings of the pdf file:
- no inheritance
- Users and roles:
- Special role X: read access
- Registered users: deny
- Requires authentication: Yes

Still all registered users can open the file and not just the users with the special role X. Any other ideas?


Kentico Support	kentico_radekm - 3/18/2012 5:33:19 PM RE:Security on pdf files Hello. Did you also explicitly denied role(s) which you wish not to be able to read that document / file? Best Regards, Radek Macalik

Member

peter.postma-kiwa - 3/19/2012 7:22:35 AM

RE:Security on pdf files

Hi,

Yes, as you can see in my first post I even denied everything. I have also tried to move the document under a Page with limited access and inherite the settings. But although it works for the Page item, it doesn't work for the document it self.

My current solution is to only show the link to the PDF file on a Page with restricted access. However when somehow somebody nows the link to document, he can still download it without the special priveleges.


Kentico Support	kentico_jurajo - 3/27/2012 1:09:34 AM RE:Security on pdf files Hi, Have you considered the upgrade to a newer version of Kentico CMS? Regrettably, in version 3.x there was a bug with the direct links to the secured files. It was already fixed in newer versions. I am sorry for this inconvenience. Best regards, Juraj Ondrus